1. a. but its not that it proves a negative, but rather shows a lack of positive hits and therefore relevance to an investigation.

Sure, but as long as it is enough to avoid seizing the device for later examination, it effectively excludes the device AND thus it does prove - to all practical effects - a negative.

- EricZimmerman

2. b. for training you are talking half a day max assuming they have some basic general computer skills/have been trained in their types of investigation outside computers.

Good.

- EricZimmerman

3. a. this happens routinely without *need* of a full forensic exam here in the USA across a wide range of departments. charges are regularly filed based on triage results alone

Very good, so there is no need for full examination i.e. "the tool" does replace completely the "full" examination (which is perfectly in line with answer 1.a, BTW)

- EricZimmerman

4. this is not a valid question IMO. the best answer available is c. if i was asked that question on the stand i would say no exam is as complete as possible because i could get more people to look at it, look at different artifacts, by hand, and so the rabbit trail goes. whoever uses the tool would state what they did. if there was some underlying question of how the software works the programs author could be subpoenad perhaps, but in the case of forensics its finding "stuff" that can then be validated with any other tool anyone else wanted to. if you only used triage then it would be the defense who would be reviewing the evidence and then reporting on their findings. triage doesn't fabricate anything that isn't there. it just finds "stuff" quickly makes it available in minutes vs months.

if a tool shows you the contents of a prefetch file that can be validated with any other tool and certainly a hex editor. digital evidence is either present or not. if someone doesn't have the skill to find/access/verify something that is a different story, but that doesn't negate the use of tools by other people.

The point was not about "the tool" fabricating anything of course , it was about the possibility of it missing *something* that could be found in other ways (i.e. through a "full" examination) and that - according to current policies/guidelines/whatever should be searched for.
Like in your own explaining of my previous example (explanation that was to me very clear) about not "being enough" to find the 3127 images:

- EricZimmerman

if a single image is found (or even indications of their presence), its enough to take a computer. with a warrant you can take everything as specified in the warrant

in cp related cases, you have to go thru all images and videos to make sure the subject is not producing cp. it is not enough to just find known images and charge based on that.

About this:

- EricZimmerman

it would be very difficult to testify that something is, for all users, "conforming to policies, guidelines and state of the art" because those things differ pretty much across everyone. rather a tool is minimally intrusive, its results repeatable on the same evidence, and its impact on a computer can be shown to be consistent. many of the quoted things are agency specific and if a given tool is approved by an agency, then those things would be true.

My impression was that a large part of being called as Expert Witness is Court is putting one's face behind the presented results, assuring both the Court and the Jury (if any) that besides the actual results, every possible (within limits of course) attempt to gather ALL data has been carried on and that the procedure was done by qualified personnel using the best possible and latest (within limits of course) technology available.
There are threads on the forum about how to dress, about the "opportunity" of having visible tattoos or piercings, about the way to answer questions asked by the Judge or by the counterpart, all of these would make little sense if the only thing that matters is the results of the examination and the written report.

The risk - as I see it - with "the tool" (which of course is exactly the same as the one involved in having the "full" examination carried by not-qualified enough or not-expert enough or "superficial" or "lazy" digital investigator) is not that it fabricates anything, but that it can miss something.
If noone - periodically - tests and somehow certifies "the tool" ( possibly it being a closed source/proprietary software) there is the risk the "the tool" becomes outdated.
On the other hand if "the tool" is Open Source (and even if it is closed source/proprietary) it's behaviour may become "predictable" and one or more of the bad guys (the few technically advanced/knpwledgeable) may find ways to have their illegal activities go undetected by "the tool".

- EricZimmerman

as i think you mentioned, i dont need to know 100% of everything there is to know about a given system. at some point your return on what you get is far less than the time invested.

And I do follow you in this , and I find "the tool" and it's approach very valid for a whole range of investigations, but possibly not suited for the CP/IIOC ones, since there is this *need* for absolute certainty (again within limits) that nothing has been left behind.

If the Law (and/or the policies/guidelines) would say that the 90% "guaranteed" by the tool is "enough" there would be no problems whatsoever.

jaclaz
_________________- In theory there is no difference between theory and practice, but in practice there is. -

to add to the argument / constructive criticism, some UK forces have the Aceso Kiosk, lets say we had the same for a computer / laptop acquisition.

The non tech police officer has "triaged" the 5 machines, 1 has a hit with IIOC, the suspect is arrested and the 20,000 live CP images are inputted in a kiosk at the station, the Kiosk generates a report based on the IIOC database, aggravating factors (peer to peer s/w etc) and then the suspect is lead for interview.....

That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.
_________________Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~

That could be a reality but the issue is that such a low level of diligence will result in false/incorrect charges, reputational damage to the investigating agency and appeals that will mean it was more cost effective to do the job to a higher standard in the first place.

ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.

people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.

can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.

The bottom line is this: did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?

and pfsfsf, i would take it further. with proper search warrant execution you would have the majority of that information BEFORE YOU ASKED YOUR SUBJECT THE FIRST QUESTION. you would have all the answers to your questions and would know whether he is being honest or not.

contrast this to the "take it all and sort it later" and you miss so much opportunity.

ill have to disagree on that. its not like a prosecutor will just wildly go off and file charges without due diligence. they arent going to just look at some report that someone cant explain and be like "yea lets charge this guy!" i just dont see that happening. on the other hand, if i can take a report generated from triage/live response and explain what we have, why not file charges? i can always supersede an indictment later if something heinous is found.

people act like triage/live response is planting evidence or getting it wrong and that only "real/full" forensics can find evidence. Corroborate your findings from triage with X-Ways or whatever you want. You will find that what the "real" tool shows you is the same as a (well written) triage tool.

can you find MORE with a full tool? most likely yes, but the point of triage is not to find/show/process/report ALL (which is impossible) but to find enough to move the case forward sooner than later.

The bottom line is this: did the tool (either triage or a 'full' tool) find evidence that is chargeable that meets the comfort level of a prosecutor?

Still, you are flip-flopping with words.

I believe noone in his right mind can imagine that "the tool" plants evidence.
As well noone would believe that on such a delicate matter a prosecutor will charge someone without "enough" evidence.

And you seem like going over and over (and over) on the point that "the tool" has a very high level of accuracy, comparable to that of a "full" investigation (and again noone doubted that *whatever* "the tool" can and will find will always and fully be confirmed by a later "full" analysis).

But the point is still another one.

Is the *whatever* "the tool" can and will find "enough"?
And can a device where "the tool" hs been run without result be excluded from seizure and further analysis?
I.e. can *someone* (again Law, Court, accepted policies or guidelines) state this in a non-equivocal manner?
And will this happen?

If yes, it's fine and dandy, "the tool" should NOT be connected to "triage" but rather to "automated analysis" and we can get rid of a lot of wasted time with the "full" analysis.
.
If no, it's a pity , and if there is the *need* to perform anyway a "full" analysis on ALL devices, no matter the results of the running of "the tool", then "the tool" is an actual "triage" aid that may have some use in changing the order in which the "full" analysis is performed.

To repeat myself, the concept of triage is only that of giving a priority in order to examine fully x before y.

Right now "the tool" (unless and until the mentioned statement about it's use is official) represents IMHO a very, very nice, quick tool that may be extremely useful as "double check" when the "full" analysis is performed.

In a perfect world , each and every digital investigator would, starting from tomorrow, run "the tool" right before performing a "full" analysis on a device, then provide BOTH reports, underlining the differences (if any) between what was found in the few minutes that took "the tool" to analyze the device and what was found in the several hours needed for the "full analysis" there will be some objective data.

If after a given period of time - let's say six months from now - a few tens, hundreds or thousands such reports (with no or trivial/minimal differences) land on the desktops of supervisors, prosecutors and judges, then probably policies/guidelines will be amended.

jaclaz
_________________- In theory there is no difference between theory and practice, but in practice there is. -

Digital forensic triage is morphing into evidential methods akin to the streamlined reporting processes that we see in DNA etc and is giving the impression to the untrained that an OS triage report or its ilk may be used in court to support charges without any experienced oversight.

The arguments being discussed here can be defined by whether you agree that this is good practice or not. Having used all of the major OS Triage tools, I do not agree that they alone are robust enough to support charging without proper review or oversight.
_________________Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~